Comments (8)
Aside from terminology and flow changes, this seems like a good time to rearrange the SIEM docs (which I've wanted to do for a while). Currently, the docs are based on the UI. I'd like your input on moving to a more workflow-based structure.
Something like this:
- Overview
- Getting started (prerequisites, beats, endpoint, ECS)
- Investigations
- Terminology/UI
- Host events
- Network events
- Timeline/Timeline templates
- Cases
- Detections
- Detection rules
- ML jobs
- APIs
- Reference guide
- Detailed ECS mappings (coming soon to 7.7)
- Object schemas (as the number of APIs grow, we're going to need dedication sections for each object, like alerts and timelines)
Please add your thoughts, Endpoint headings wherever it makes sense, and CC other relevant people.
Thanks,
from security-docs.
Adding in some of the content I've been working on/know of, iterating on top of Bens:
- Get Started
- Security App Overview
- Prerequisites
- Install the Endpoint Agent
- SIEM related onboarding documentation
- Investigations
- Terminology/UI
- Host events
- Network events
- Timeline/Timeline (Resolver/Graphical timeline) templates
- Cases
- Detections
- Detection rules
- ML jobs
- Admin Guide
- Endpoint Management
- Other admin tasks
- API
- Reference guide
- Detailed ECS mappings (coming soon to 7.7)
- Object schemas (as the number of APIs grow, we're going to need dedication sections for each object, like alerts and timelines)
I don't think we have to explicitly call out User Guides as "User Guides" as long as the persona and use case is obvious. Because there are so many ways to interact (Resolver, Case Management, Timelines) with events, I wonder if it would be best to make each a separate User Guide, kind of like how SIEM is separated now.
Any thought's on this @benskelker and @jmikell821?
from security-docs.
Oh, one thing I forgot to add was Release Notes, but that'll be at the bottom I imagine.
from security-docs.
Thanks @Donnater
I don't think we have to explicitly call out User Guides as "User Guides" as long as the persona and use case is obvious.
Yes, I agree. Unlike admin stuff, I don't think this needs to be explicitly stated in the first-level sections.
Because there are so many ways to interact (Resolver, Case Management, Timelines) with events, I wonder if it would be best to make each a separate User Guide, kind of like how SIEM is separated now.
I'd prefer to restructure and have high-level intro sections. I think it'll help users get a better overview of how Elastic Security can be used.
For Kibana-specific security stuff (siem index mappings, map configuration, user permissions), we need to decide what goes in the getting started chapter, what goes in the admin chapter, and what goes in both.
from security-docs.
Table of contents draft three:
- Elastic Security App Overview: (Janeen) #28
- Security Update Overview/What's New in 7.9? #58, #69
- Components
- Breaking Changes
- Ben's User flows (Functionality) #31
- Getting Started (Include intro topic)
- Anomaly and Detection
- Prebuilt rule reference
- ML Jobs (Ben)
- Detections and Alerts
- Investigating Events
- Cases (ticketing) (Ben): #65
- API (Ben)
- Detailed ECS mappings and Object Schemas (Ben) #62
- Release notes: (Nate) #53
- Glossary/Terminology: (Janeen) #42
TBD (content we don't know enough about/content that doesn't have) - Frequently Asked Questions (FAQs)
from security-docs.
- Alerts
@jmikell821 @Donnater
Now we know there is going to be a first-level Detections
tab in the UI, maybe we should name this section Detections and Alerts
?
Also, do you think we need a What's new
section (starting from the 7.10 release I guess)?
from security-docs.
- Alerts
@jmikell821 @Donnater
Now we know there is going to be a first-levelDetections
tab in the UI, maybe we should name this sectionDetections and Alerts
?Also, do you think we need a
What's new
section (starting from the 7.10 release I guess)?
@benskelker let's clarify the definition of each because isn't a detection a type of alert? Or I guess in theory, a detection is the same thing as an alert? I'll follow up with the PMs.
from security-docs.
@jmikell821 I think it's something like this:
- Enable and create detection rules which generate detection alerts
- Enable
promotion
detection rules to:
** Generate external alerts
** Generate endpoint alerts
So all alerts rely on detections.
from security-docs.
Related Issues (20)
- [enhancement] CSPM onboarding "Organization
- [Request] Update SentinelOne bi-directional response actions instructions with new requirements for setting up the SIEM rule
- [Request] Document the availability of `processes` response actions for SentinelOne hosts
- [Request] AI Performance Matrix Changes for 8.15 HOT 3
- [Docs IA][ESS] Rework the Elastic Endpoint section
- [Enhancement]: Add AI Assistant basic custom knowledge feature to 8.15 release notes HOT 1
- Elastic Defend not supported as DaemonSet deployment in Kubernetes envs
- [Security Solution] Missing Attack Discovery under Navigation Menu Doc HOT 2
- [Security Solution] Old Timeline Component instead of Discovery in Timeline Doc HOT 6
- [Bug] No mention of AVC banner under Defend integration HOT 2
- [BUG]Update Screenshot in Response Console Help Section to Include 'Scan Response' Option HOT 5
- [UI copy]: Data Quality Dashboard tooltip texts review HOT 5
- [Request] DataQuality Dashboard New ListView and Flyout UI HOT 1
- [Docs IA] LLM performance matrix IA update
- [Docs IA] Create Investigation Tools section
- [DOCS IA] Remove technical preview section HOT 3
- [Known Issue] In bulk action menu we show manual rule run, but it's not available
- Serverless changes to rework main overview landing page
- [Request]
- [Request] Added IS operator under Windows Signature in Blocklist view
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security-docs.